Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: FIFO instead of NIC

From: waldo kitty <wkitty42 () windstream net>
Date: Fri, 21 Jun 2013 08:42:33 -0400
On 6/21/2013 07:09, Tiaan Wessels wrote:

Hi,
I have installed snort on an Ubuntu machine. I have in /etc/snort a file
with DEBIAN_SNORT_INTERFACE="eth0" in it which results in snort starting at boot
with -i eth0 in its command-line. However, I want snort to startup on boot to
read from a fifo e.g. /tmp/eth0.fifo instead. Can someone assist to show how to
achieve this. I have a router sending all traffic to my Ubuntu machine in TZSP .
I have a program that strips of TZSP and dumps in pcap format to a fifo
/tmp/eth0.fifo and I want snort to use this traffic for analysis instead of the
Ubuntu machine's own eth0. Essentially I want the -i eth0 replaced with -r
/tmp/eth0.fifo but cannot figure out where in snort's configs to do this.
Thanks


you don't do it in the config... you find and modify the startup scripts in your 
debian installation... you'll probably find them in /etc/init.d or /etc/rc.d... 
most likely there will be one script linked into other places so be careful that 
you don't break it...

likely you'll just want to find the start up line in that script, copy it to a 
new line, comment out the original (for protection in case of a screwup) and 
edit the new line to change the "-i $DEBIAN_SNORT_INTERFACE" portion to "-r 
/tmp/eth0.fifo"...


-- 
NOTE: No off-list assistance is given without prior approval.
       Please keep mailing list traffic on the list unless
       private contact is specifically requested and granted.

------------------------------------------------------------------------------
This SF.net email is sponsored by Windows:

Build for Windows Store.

http://p.sf.net/sfu/windows-dev2dev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: